The Forum of Incident Response and Security Teams (FIRST) is a non-profit organization that aims to help computer security incident response teams across the world. FIRST is also the owner and manager of the Common Vulnerability Scoring System (CVSS), which is an open framework for communicating the characteristics and severity of software vulnerabilities1.

CVSS provides a standardized way to measure and compare the impact of different vulnerabilities, based on various technical factors, such as how easy they are to exploit, how much damage they can cause, and how difficult they are to fix. CVSS also allows users to customize the scores according to their specific environment and threat landscape, by taking into account additional metrics, such as the availability of exploits, the value of the affected assets, and the effectiveness of the existing security controls2.

CVSS has been evolving since its first version in 2004, with major updates in 2007 (v2.0) and 2015 (v3.0). The latest version, CVSS v4.0, was officially released on November 1, 2023, after a public preview and comment period that started on June 8, 20231CVSS v4.0 introduces several changes and improvements over the previous version, with the goal of making it more accurate, transparent, and applicable to a wider range of vulnerabilities2.

Some of the main features of CVSS v4.0 are:

CVSS v4.0 aims to provide a more comprehensive and flexible framework for assessing software vulnerabilities’ severity in different contexts and scenarios. It also strives to improve the clarity and consistency of its definitions and calculations, as well as its documentation and guidance. CVSS v4.0 is expected to be widely adopted by security researchers, vendors, organizations, and users as a common language for describing and comparing vulnerabilities’ characteristics and risks2.